A little more than two years after its approval by the European Parliament, the new European Regulation on Data Protection or GDPR (General Data Protection Regulation) will go into effect on May 25, 2018. It is not just another regulatory change: it is the most important change to European data regulation in 20 years and involves new rights for consumers, such as the right to be forgotten and the right to data portability. It also strengthens the concept of consent.
GDPR is an update of Directive 95/46/CE, deemed obsolete due to, among other factors, society's rapid technological and digital development that present new challenges regarding the protection of personal data. New realities such as big data and the treatment of data over social networks (the recent Facebook case is a good example) call for a more solid, coherent framework for personal data protection in the European Union.
As affirmed by Vĕra Jourová, European Commissioner for Justice, Consumers, and Gender Equality, it deals with providing “modern rules to respond to new risks.”
Data protection is a topic that concerns Europeans of all ages, though most especially those over 54, as indicated by the 2017 survey Global Web Index. It also reveals that 57% of the so-called Generation Z, young people between 16 and 20, are concerned about how their data is used by companies. Among “millennials” (those between 21 and 34 years old), the figure is 58%, and among Gen-Xers (those between 35 and 53) the figure rises to 61%.
GDPR's objective isn't only to standardize European regulation, but also to strengthen the data protection of European citizens and companies that operation in the EU. What are the main changes introduced by GDPR?
The right to be forgotten and the right of data portability
As an innovative initiative, GDPR establishes two new rights for European consumers: The right to data portability and the right to be forgotten. What does the right to data portability consist of? Fundamentally, it gives the consumer the right to ask a company that manages his or her data to hand over all of the consumer's data.
This data has to be delivered to other companies (at the consumer's request) in a commonly-used, machine-readable, structured format, when technically feasible. Regarding the right to be forgotten, the owner of the personal data has the right to have his or her data erased or destroyed.
When data is handled with the consent of the interested party–the data owner–, the party responsible for handling the data must be able to demonstrate that they have received the data owner's consent. The new regulation reinforces this concept and requires that the data owner's consent must be specific, in other words, consent must be provided for a concrete aim, it must also be informed and unequivocal. Tacit consent is no longer permissible.
Additionally, consent must be revocable at any time, therefore, the party that handles the data must provide the data owners with simple and easily accessed mechanisms to carry out the cancellation of consent.
As a consequence, the new regulation obligates companies to undertake efforts to adapt and conform to the objective of better protecting the privacy of Europeans and the security and trust of consumers.